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1.  INTRODUCTION 


This  paper  deals  with  the  generalization  of  theorems 
arising  in  program  verification.  The  theorems  of  concern  here 
are  mostly  about  the  properties  of  recursively  defined  functions 
(derived  from  program  definitions),  and  their  proof  involves  the 
use  of  induction.  In  proving  such  theorems,  we  have  to  confront 
three  questions:  How  to  find  the  variables  or  structures  on 
which  to  carry  out  induction,  how  to  choose  an  appropriate 
induction  schema,  and  how  to  find  its  correct  instantiation. 

Intuitively,  recursion  and  induction  are  complementary  (see 
Boyer  and  Moore  [2]):  Recursion  starts  with  some  structure  and 
decomposes  it  until  some  basic  structure  is  obtained;  induction 
starts  with  some  basic  structure  and  builds  up.  This  duality  can 
be  used  for  solving  the  problems  of  setting  up  the  induction:  we 
have  to  induct  on  those  structures  that  are  being  recursively 
decomposed  by  the  function  ([1,2]). 

In  trying  to  prove  theorems  about  recursively  defined 
functions,  it  often  happens  that  the  induction  step  fails,  that 
is,  the  theorem  is  not  strong  enough  to  carry  itself  through  the 
induction.  In  such  cases  we  try  to  find  a  more  general  theorem, 
which  should  be  easier  to  prove  than  the  one  in  which  we  are 
actually  interested.  The  discovery  of  helpful  generalizations 
requires  a  deep  understanding  of  the  function's  performance. 
Some  heuristics  for  generalization  are  based  on  the  analysis  of 
the  functions  involved:  we  try  to  understand  the  roles  being 
played  by  the  arguments  in  the  computation  of  the  function,  and 
we  try  to  use  this  knowledge  for  generalization.  This  type  of 
heuristics  is  exemplified  by  the  method  of  Greif  and  Waldinger 
[4],  where  the  symbolic  execution  of  the  program  for  its  first 
few  terms  is  followed  by  pattern  matching  to  find  a  closed  form 
expression  which  generates  the  series  so  obtained.  Other  types 
of  heuristics  are  represented  by  the  method  discovered  by  Boyer 
and  Moore  [2].  Here,  expressions  common  to  both  sides  of 
equality  are  replaced  with  a  new  variable.  It  is  quite  a  simple 
and  powerful  heuristics  that  seems  to  work  well  for  simple  list- 
manipulating  functions. 

Consider  the  programs  containing  iterations.  In  such 
programs,  some  variables  are  used  to  accumulate  results  and  are 
usually  initialized  with  constant  values.  In  the  functional 
definitions  obtained  from  such  programs,  these  variables  turn 
into  auxiliary  arguments  with  constant  values,  or,  in  the  words 
of  Wegbreit  [11],  specialized  arguments.  These  arguments  do  not 
play  any  role  in  the  functional  definition  and  yet  their 
contribution  to  the  function  computation  is  essential.  The 
effect  of  their  replacement  by  variable  arguments  must  be 
understood  well  if  we  are  to  carry  out  by  induction  the  proof  of 


some  property  relevant  to  such  a  function. 


Since  we  are  given  some  functional  definition  and  some 
theorems  about  the  functions  so  defined,  we  can,  possibly, 
change  either  of  these  to  make  induction  work.  Hence  we  will 
study  two  ways  to  handle  the  problem  caused  by  argument 
specialization: 

Theorem  Generalization  Replacing  the  constant  argument  by  a 
variable  such  that  a  more  general  theorem  than  the  given  one  may 
be  provable  by  induction.  We  describe  how  to  generalize  theorems 
about  two  typical  classes  of  functions. 

Function  Redefinition  While  the  above  method  removes  a 
specialization  by  creating  a  new,  stronger  theorem,  function 
redefinition  uses  the  specialization  by  creating  a  new 
definition  from  which  all  specialized  arguments  are  effectively 
deleted.  This  requires  a  total  rearrangement  of  the  computation: 
it  is  not  a  syntactic  manipulation.  We  describe  the  redefinition 
procedure  for  two  classes  of  programs. 

There  is  a  duality  between  the  problem  of  finding  invariant 
assertions  and  the  problem  of  finding  theorem  generalization.  It 
is  shown  in  [10,11]  that  for  certain  class  of  functions  and 
theorems,  these  problems  are  indeed  equivalent:  one  can  get  an 
invariant  assertion  if  one  knows  the  generalization,  and  vice 
versa.  As  a  side-benefit  of  our  generalization  strategy,  we  show 
how  to  obtain  invariant  assertions  in  certain  cases. 


2.  BASIC  NOTATION  AND  DEFINITIONS 


For  defining  functions  we  use  the  notation  of  recursive 
schemas  (Manna  [ 5 ] ) . 

Our  usage  of  letters  is  as  follows: 


F, G,H, f , g,h 

x,y,z,u,v,w 

p,q 


to  denote  functions 
to  denote  variables 
to  denote  variables 
to  denote  constants 


Subscripts  and  superscripts  may  be  also  added  to  the  letters. 


Furthermore  we  use 


IF  p  THEN  el  ELSE  e2  for  conditional  expressions 

el  <=  e2  for  defining  functions  (or  predicates) 

el  by  the  expression  e2 
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Subscripts  and  superscripts  may  be  also  used. 

Basically,  functions  are  either  instances  of  the  recursion 
schema 


F(y)  <=  IF  p(y)  THEN  f(y) 

ELSE  h(y, F(g(y) ) ) 


or  of  the  composition  schema 

F(y)  <=  h(y, g(y) ) 

where  f,g,h  are  previously  defined  functions. 

Depending  on  the  domain  there  is  a  number  of  basic 
functions  and  basic  constants;  for  example: 

List  theory 

basic  functions:  CONS, CDR, CAR, EQUAL, ATOM 
basic  constant:  NIL 

Number  theory 

basic  functions:  SUCC,PRED,= 
basic  constant:  0 

Sometimes  we  will  use  well-known  arithmetic  functions  and 
abbreviations  without  giving  their  explicit  definitions. 

In  general  we  use  unsubscripted  letters  to  denote  vectors 
and  subscripted  ones  to  denote  the  components  of  a  vector.  We 
use  angular  brackets  to  denote  the  explicit  formation  of  a 
vector,  and  indexing  for  decomposition.  Thus,  x  denotes  the 
vector  of  variables  <xl,  x2,...,xn>  for  some  fixed  n.  Further, 
we  reserve  letters  x,y,z  for  the  following  special  purpose: 
function  F  takes  the  input  vector  x,  computes  on  the  auxiliary 
state  vector  y  and  returns  the  output  vector  z  =  F(x)  as  the 
function  value,  c  denotes  a  constant  vector. 

We  will  not  define  how  to  obtain  the  value  of  a  function 
when  applied  to  an  argument.  For  our  purpose,  an  intuitive 
understanding  of  this  process  is  sufficient  (for  a  detailed 
discussion  see  Manna  and  Pnuelli  [6]). 

An  important  subclass  of  functions  is  obtained  by 
instantiations  of  the  iterative  schema 

F(y,y')  <=  IF  p(y)  THEN  y' 

ELSE  F(f(y) ,g(y,y' ) ) 


(1) 
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This  type  of  functions  is  obtained  when  we  translate  simple 
programs  from  a  language  with  iteration  (see  McCarthy! 7 ]) .  For 
instance,  the  program  schema: 

WHILE  p(y)  do  <y,y’)  < f (y ) , g(y, y ' ) )  OD;  (2) 
RESULT  :=:  y’ 

where  :  =  :  denotes  concurrent  assignment,  will  be  translated  into 
the  above-mentioned  function. 

The  variable  y  tested  in  the  termination  condition  is  a 
recursion  variable.  Following  Moore  [9],  y'  is  called  an 
accumulator  because  "if  a  function  modifies  an  argument  during 
(some)  recursive  call  but  does  not  test  the  argument  in  the 
termination  condition,  the  program  considers  that  variable  to  be 
an  accumulator" . 


3.  THEOREM  GENERALIZATION 


3.1  Generality  of  Theorems 

Suppose  that  we  wish  to  prove  by  induction  a  theorem  Th 
about  the  function  F,  defined  over  the  domain  of  natural 
numbers,  as  an  instance  of  the  recursion  schema 

F(y)  <=  IF  p(y)  THEN  g(y)  ELSE  h(y,F(n(y)))  (3) 

To  prove  Th(F(x))  by  mathematical  induction  we  have  to  prove 

1)  Basis:  Th(F(0)) 

2)  Induction  step:  Th(F(x))  ->  Th(F( Succ(x) ) 

Usually  the  basis  can  be  proven  by  evaluating  F(0),  but  the 
induction  step  turns  out  to  be  more  difficult.  To  simplify  the 
conclusion  in  the  induction  step,  we  may  evaluate  F(Succ(x)): 

F(Succ(x))  =  IF  p(Succ(x))  THEN  g(Succ(x)) 

ELSE  h(Succ(x) ,F(n(Succ(x) ) ) ) 

Because  the  hypothesis  is  about  F(x),  namely  Th(F(x)),  we  have 
to  express  F(n(Succ(x) ) )  in  terms  of  F(x),  and  if  n  is  different 
from  the  predecessor  function  it  is  not  at  all  obvious  what  to 
do  next.  So  we  can  see  that  mathematical  induction,  which  serves 
best  for  proofs  of  theorems  about  functions  defined  by  primitive 
recursive  schema,  is  not  always  suitable  for  proofs  of  theorems 
about  functions  defined  by  recursive  schema  (3).  For  carrying 
out  inductive  proofs  for  functions  defined  by  the  recursive 
schema  (3),  we  must,  in  order  to  simplify  the  conclusion  in  the 
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induction  step,  take  into  the  account  the  way  in  which  the 
function  F  is  computed. 

Let  us  observe  the  evaluation  of  F(x): 

F(x)  =  h(x,F(n(x)))  =  h(x,h(n(x) , F(n(n(x) ) ) ) ) 

(k-1)  k 

=. . .=h(x,h(n(x) , . . . ,h(n  ,F(n  (x)))))) 

The  values  of  F  form  the  sequence 

k 

x,  n(x) ,  n(n(x) n  (x) 

j 

where  k=min{j  |  p(n  (x))}. 

Thus  we  can  use  the  following  induction  rule  to  prove 
Th(F(x) ) . 


k 

Basis:  Th(F(n  (x))) 

(j+1)  j 

Induction  step:  Th(F(n  (x)))  ->  Th(F(n  (x)))  for  all  j<k 

j 

The  schema  (3)  and  the  relation  k=min{j  |  p(n  (x))}  allow  us  to 
obtain  the  following  simpler  and  stronger  rule,  that  we  will 
refer  to  as  the  case  induction  rule. 

Case  Induction  Rule 


Let  a  total  function  F  be  defined  as  an  instance  of  the 
recursion  schema 

F(y)  <=  IF  p(y)  THEN  g(y)  ELSE  h(y,F(n(y))) 

Then  a  theorem  Th(F(x))  about  F  holds  if  and  only  if  both  of  the 
following  conditions  are  satisfied: 

a)  Basis:  p(y)  ->  Th(F(y))  (4) 

b)  Induction  step:  ->p(y)  &  Th(F(n(y)))  ->  Th(F(y)) 

If  function  F  is  a  total  function  then  the  conditions  a) 
and  b)  are  not  only  sufficient,  as  follows  from  the  above 
discussion,  but  also  necessary.  This  can  be  proved  by 
contradiction  as  follows: 

Suppose  Th(F(x))  holds  for  all  x,  but  either  a)  or  b)  do 
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not  hold,  then 

If  P(y)  ->  Th(F(y))  is  false  for  some  yO  then  Th(F(yO))  must  be 
false,  since  Th(F(yO))  is  defined  for  all  y.  This  contradicts 
the  assumption  that  Th{F(x))  is  true  for  all  x. 

If  -p(y)  &  Th(F(n(y) ) )  ->  Th(F(y))  is  false  for  a  yO,  Th(F(yO)) 
must  be  false,  resulting  in  the  same  contradiction. 

Thus,  if  the  function  F  is  total,  the  conditions  a)  and  b)  are 
not  only  sufficient  but  also  necessary  in  order  for  Th(F(x))  to 
be  true . 

For  functions  defined  by  the  recursion  schema,  the  case 
induction  rule  (4)  is  easier  to  use  than  mathematical  induction, 
because  the  evaluation  of  F(y)  on  the  right-hand  side  of  the 
implication  gives  us  the  expression 

-p(y)&Th(F(n(y)))  ->  Th( IF  p(y)  THEN  g(y)  ELSE  h(y, F(n(y) ) ) ) 

Since  both  sides  of  implication  now  contain  the  expression 
F(n(y )),  it  seems  to  be  easier  to  simplify  the  conclusion  using 
the  hypothesis.  This  is  why  in  the  rest  of  this  chapter,  we  use 
the  case  induction  rule  (4)  to  prove  theorems  by  induction. 

Suppose  we  have  to  prove  the  theorem 

IN(x)  ->  F(x)  =  G(x) 

where  F  is  a  function  defined  by  an  instance  of  the  recursion 
schema  (3),  G  is  some  other  previously  defined  function  and  IN 
is  a  predicate  describing  the  initial  values  of  arguments  of 
function  F.  Using  case  induction  we  have  to  prove 

Basis; 

P( x )  ->  (IN(x)  ->  F(x)  =  G(x) ) 
which  can  be  simplified  into 

P ( x )  &  IN(x)  ->  g(x)  =  G(x) . 


Induction  step: 

r-p(x)&(IN(n(x))  ->  F(n(x))=G(n(x)))]  -> 

l ( IN(x)  ->  F(x)  =  G(x) ) ] 

which  can  be  simplified  into 

[-p(x)&IN(x)&(IN(n(x))->F(n(x))=G(n(x) ))]->[ F(x)=G(x)) 


■*<*» 
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or 


[p(x>  &  IN(x)  &  ( IN(n(x) )  ->  F(n(x) )  =  G(n(x)))]  -> 

[h(x, F(n(x) ) )  =  G(x) ] 

To  simplify  the  conclusion  h(x,F(n(x)))  =  G(x),  we  have  to 
use  the  assumption  IN(n(x))  ->  F(n(x))  =  G(n(x)).  Now,  if 
IN(n(x))  is  not  true,  then  we  do  not  know  anything  about 
the  relation  between  F(n(x))  and  G(n(x))  to  simplify  the 
conclusion.  But  if  IN(n(x))  happens  to  be  true  because  of 
-•p(x)  and  IN(x),  then  the  assumption  F(n(x))  =  G(n(x))  can 
be  used  in  simplifying  the  conclusion,  and  the  theorem  to 
prove  would  be 

**p(x)  &  IN(x)  ->  h(x,G(n(x)))  ->  G(n(x)). 

Thus  if  -'p(x)  &  IN(x)  ->  IN(n(x))  holds,  then  we  can  use 
the  assumption  to  simplify  the  conclusion.  In  other  words 
the  theorem  in  this  case  is  strong  enough  to  carry  itself 
through  the  induction. 

To  sum  up  the  discussion,  we  state  the  following  theorem: 


THEOREM  1;  If  a  predicate  IN  satisfies  the  condition 

IN(x)  &  -*p ( x )  ->  IN(n(x) )  (5) 

and  the  function  F  defined  by  (3)  above  is  total  on  the  domain 
specified  by  IN,  then  the  property 

IN(x)  ->  F(x)  =  G(x) 


holds  iff  both 

a)  p (x )  &  IN(x)  ->  g(x)  =  G(x) 

b)  -p(x)  &  IN(x)  ->  h(x,G(n(x) )  =  G(x) 

are  true. 

PROOF: 

<-  )  By  case  induction. 

Basis:  We  have  to  prove  that 

p(x)  &  IN(x)  ->  F(x)=G(x) 
but  this  is  immediate  from  the  definition  of  F. 
Induction  step:  We  have  to  prove  that 
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(■’P(x)&(IN(n(x))->G(n(x))=F(n(x)))]->[IN(x)->G(x)=F(x)] 

1  ->p(x)  &  IN(x)  ->  h(x,G(n(x)))  =  G(x)  assumption  B 

2  *'P(x)&IN(n(x)  )&G(n(x) )  =  F(n(x))  ->  h(x,F(n(x)))  =  G(x) 

from  1  using  properties  of  ->  and  & 

3  -p(x)  &  [IN(x)  &  IN(n(x) )  &  G(n(x))  =  F(n(x))]  -> 

[h(x, F(n(x) ) )  =  G(x) ] 
from  2  and  (5)  using  properties  of  ->  and  & 

4  -*p(x)&[IN(n(x)  )->G(n(x)  )=F(n(x) )  ]  ->  [  IN(x)->G(x)=F(x)  ] 

from  3  and  def.  of  F,  using  properties  of  ->  and  & 

->  )  By  case  analysis 
CASE  1:  p(x)  is  true. 

We  have  to  prove  that 

P( x )  &  IN(x)  ->  g(x)  =  G(x) 

But  this  is  immediate  from  the  definition  of  F. 

CASE  2:  ■’P(x)  is  true. 


We  have  to  prove 

-p(x)  &  IN(x)  ->  h(x,G(n(x)))  =  G(x) 

1  -p(x)  &  IN(x)  ->  h(x, F(n(x) )  =  G(x) 

from  assumptions  and  def.  of  F  using 
properties  of  &  and  -> 

2  -p(x)  &  IN(n(x) )  ->  -p(x)  &  F(n(x) )  =  G(n(x)) 

from  asumptions  with  instantiation  of  x  as  n(x)  using 
properties  of  &  and  -> 

3  -p(x)  &  IN(x)  ->  -p(x)  &  IN (n(x)) 

from  (5)  using  properties  of  &  and  -> 

4  -p(x)  &  IN(x)  ->-p(x)  &  F(n(x) )  =  G(n(x)) 

from  3  and  and  2 

5  -■p(x)  &  IN(x)  ->  -•p(x)  &  G(n(x))  =  F(n(x)) 

&  h(x,F(n(x)))  =  G(x) 
from  4  and  1  using  properties  of  ->  and  & 

6  -•p(x)  &  IN(x)  ->  h(x,G(n(x)))  =  G(x) 

from  5  using  properties  of  ->and  &. 

Essentially,  the  condition 

-p(x)  &  IN(x)  ->  IN(n(x) ) 

is  a  requirement  that  IN,  the  input  specification,  is  strong 
enough  to  describe  all  possible  values  that  the  arguments  of  F 
can  take  on  during  the  computation.  For  example,  consider  the 
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case  of  the  theorem 


F(x, 1)  =  x! 


where  we  define 

F(yl,y2)  <=  IF  yl  =  0  THEN  1  ELSE  F(yl-1,  yl*y2) 
In  this  case 


p(yl,y2)  <=  yl=0 
IN(yl,y2)  <=  yl  is  INT  &  y2  =  1 
n(yl,y2)  <=  <yl-l,yl*y2> 

IN(yl, y2 )  =  (yl  is  INT  &  y2  =  1) 

where  INT  denotes  the  domain  of  integers.  Condition  (5)  is  not 
satisfied  because 


-’p(x)  &  IN(x)  ->  IN(n(x) ) 
or 

[yl  is  INT  &  y2=l  &  (yl*0)]  ->  [(yl-1)  is  INT  &  yl*y2=l] 
or 


[yl  is  INT  &  y2=l  &  (yl*0)I  ->  [(yl-1)  is  INT  &  yl*l=l] 

is  not  true.  The  reason  is  that  y2  is  too  specialized. 

But  suppose  the  theorem  and  the  input  specification  were  to 
be  generalized  to  be,  respectively 

F(x,y)  =  y*x! 

IN(yl,y2)  <=  [ yl  is  INT  &  y2  is  INT) 

Now  condition  (5)  below  clearly  holds: 

IN(yl,y2)  =  (yl  is  INT  &  y2  is  INT) 

[yl*0  &  (yl  is  INT  &  y2  is  INT)]  ->  [(yl-1)  is  INT 

&  (yl*y2 )  is  INT] 

Thus,  the  input  specification  IN,  must  be  general  enough  to 
satisfy  (5).  In  other  words  (5)  is  the  criterion  for  judging 
whether  a  certain  theorem  generalization  strategy  is  useful.  If, 
using  the  specific  generalization  strategy,  we  make  it  more 
likely  to  satisfy  condition  (5),  then  that  strategy  is  useful. 
We  do  not  intend  to  check  whether  a  specific  theorem  is  strong 
enough;  this  we  leave  to  the  proof  process  itself.  Our  theorem 
is  a  special  case  of  the  theorem  given  by  Wegbreit  [11]  but  is  a 
more  general  version  than  the  one  given  by  Misra  [8],  In  their 
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papers  it  was  shown  moreover  that  if  a  function  F,  total  on  the 
domain  specified  by  IN,  satisfies  the  conditions 

1)  IN(x)  ->  F(x)  =  G(x) 

2)  ->p(x)  &  IN(x)  ->  IN(n(x)) 

then  a  correct  invariant  assertion  is 
IN(y)  &  G(x)  =  G(y) 

Thus,  to  obtain  the  invariant  assertion  for  a  program  in  which 
the  input  specification  is  not  strong  enough,  we  can  first  use  a 
generalization  strategy  to  strengthen  IN  and  then  construct  the 
invariant  assertion. 


3.2  Generalization  Scheme  I 


Suppose  we  have  to  prove 

F(xl, 1)  =  xl! 


(6) 


where  F  is  defined: 

F(yl,y2)  <=  IF  yl=0  THEN  y2  ELSE  F(yl-1, yl*y2 ) 

To  prove  this  theorem  by  induction  we  have  to  establish 
Basis:  F(0, 1 )  =  0! 

Induction  Step:  F(xl,l)  =  xl !  ->  F(xl+l,l)  =  (xl+1)! 

For  basis,  we  just  start  with  the  left-hand-side  and  substitute 
the  definition  of  F. 

F(0, 1)  =  IF  (0=0)  THEN  1  ELSE  F(0-1,0*1)  =  1=0! 

This  verifies  the  basis.  Now  let  us  try  the  induction  step. 

F(xl+1, 1)  =  IF  (xl+l=0)  THEN  1  ELSE  F( xl+1-1 , (xl+1 ) *1 ) 

=  F(xl,xl+1) , 

since  xl+l*0  for  any  natural  number.  But  now  we  realize  that  we 
are  stuck  as  the  induction  hypothesis  does  not  help  us.  It  would 
'let  us  simplify  F(xl,l)  but  not  F(xl,xl+1). 

But  instead  of  proving  (6)  directly,  let  us  try  to  prove 
its  following  generalization. 

F(xl,x2)  =  xl*x2 

The  proof  by  induction  on  xl  goes  very  smoothly.  For  the  basis. 
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we  just  use  the  definition  of  F  to  obtain 

F(0,x2)  =  IF  (0=0)  THEN  x2  ELSE  F(xl-l,0*x2)  =  x2 
=  l*x2  =  0 ! *x2 

For  the  induction  step,  we  assume  F(xl,x2)  =  xl*x2,  and  then  we 
try  to  prove  F(xl+l,x2)  =  (xl+1)!  *  x2. 

F(xl+l,x2)  =  IF  (xl+l=0)  THEN  x2  ELSE  F(xl+1-1 , (xl+1 ) *x2 ) 

=  F(xl, (xl+1 ) *x2) ,  since  xl+l*0  for  any  natural 

number 

=  xl ! * (xl+1) *x2 ,  by  induction  hypothesis 
=  (xl+1) ! *x2 

Hence  the  theorem  F(xl,x2)  =  xl!*x2  has  been  established.  The 
weaker  theorem  F(xl,l)  =  xl !  is  just  the  special  case  x2=l  of 
the  theorem  F(xl,x2)  =  xl ! *x2 . 

The  situation  described  above  is  quite  common.  In  a  program 
using  iteration,  some  of  the  arguments  are  used  as  help 
arguments.  Their  initial  values  are  usually  constant  and 
therefore  they  will  play  nc  role  in  the  original  description  of 
the  function  properties,  yet  their  contribution  to  the 
computation  is  essential  and  must  be  understood  and  expressed  in 
the  theorems  about  function  properties.  Ideally,  the  initial 
values  of  arguments  of  a  function  should  be  as  mutually 
independent  and  as  general  as  possible. 

In  general,  suppose  we  have  to  prove 

FI (x, c )  =  F2(x)  (7) 

where  FI  is  an  instance  of  iteration  schema 

F(y,y’)  <=  IF  p(y)  THEN  y’  ELSE  F(f (y) ,g(y,y* ) ) 

Then  we  observe  that  the  final  value  of  y'  (and  therefore  the 
value  of  Fl(x,c)),  is  built  up  by  repeated  application  of  the 
function  g.  The  final  value  of  y'  is  thus 

i  (i-1) 

t(i)  =  g(f  (x),  g(f  (x), . g(f (x) ,g(x,c) ) ) 

i 

where  f  denotes  f(f(f...(x)))  with  i  applications  of  f. 
Suppose  we  like  to  generalize  (7)  by  replacing  c  with  hl(z,c) 
where  z  is  a  new  variable.  Then  the  final  value  of  y'  will  be 
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i  (i-1) 

g(f  (x),g  (f (x) , . . . ,g(x,hl(c,z) ) ) ) 

Now  suppose  we  can  find  two  functions  hi  and  h2  with  the 
property 

g(u,hl(v,w))  =  hl(g(u,v),h2(u,v,w))  (8) 

Then 


g(u/g(u'/hl(v,w)))  =  g(u,hl(g(u'  ,v),h2(u’  ,v,w) )) 

=  hl(g(u,g(u’ ,v)),h2(u,v,h2(u,v,w))) 

In  other  words  if  we  can  find  a  pair  of  functions  hi  and  h2  with 
the  property  (8)  then  the  final  value  of  y1  is 

hl(t(i)/ 


i  (i-1) 

h2(f  (x) , t(i-l) ,h2(f  (x) ,t(i-l) .  (9) 

2 

h2(f  (x),t(l), h2 ( f ( x ) , g ( x , c ) , h2 (x,c,z))))) 

The  first  argument  of  hi,  t(i)  is  equal  to  Fl(x,c),  and  the 
second  argument  of  hi  is  the  iteration  of  h2  with  the  first  and 
second  arguments  having  the  same  values  as  they  have  during  the 
evaluation  of  FI.  Using  the  definition  of  FI,  we  can  define  a 
new  function  F3  so  that  F3(x,c,z)  equals  the  second  argument  of 
hi  in  (9).  This  F3  is  defined  as  follows. 

F3(y,y\y")  <=  IF  pl(y)  THEN  y" 

ELSE  F3(f(y),g(y,y’  ),h2(y,y\y' ' )) 

Now  the  generalization  of  a  theorem  should  be  an  expression 
which 

a)  we  believe  is  in  fact  a  theorem 

b)  has  the  original  theorem  as  an  instance 

c)  is  easier  to  prove 

We  suggest 


Fl(x,hl(c, z) )  =  hi ( F2 (x) , F3 (x, c , z ) ) 

as  a  generalization  of  (7).  It  has  all  the  above  mentioned 
properties,  as  the  following  theorem  shows. 

THEOREM  2 :  Let  g,f,F2  be  some  previously  defined  functions,  FI 
be  defined  by  the  iteration  schema 
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Fl(y,y')  <-  IF  p(y)  THEN  y*  ELSE  Fl(f (y) , g(y,y* ) ) 

and  F3  be  defined  by 

F3(y,y’y' * )<=  IF  p(y)  THEN  y* ' 

ELSE  F3(f(y),g(y,y* ) ,h2(y, y 1 y' ' )) 

If 

Fl(x,c)  =  F2(x) 

and  there  exist  functions  hi  and  h2  satisfying 

g(u,hl(v,w))  =  hl(g(u,v),h2(u,v,w)) 

then 

F(x,hl(c,z) )  =  hl(F2(x),F3(x,c,z))  (10) 

holds. 

LEMMA  1:  Under  the  conditions  and  definitions  of  THEOREM  2,  it 
is  the  case  that 

Fl(x,hl(w,z) )  =  hl(Fl(x,w) ,F3(x,w,z) ) 

PROOF :  By  case  induction. 

Basis:  We  have  to  prove 

p ( x )  ->  hl(w,z)=hl(w,F3(x,w,z) ) 

This  we  do  as  follows 

1  p(x)  assumption 

2  Fl(x,hl(w, z) )  =  hl(w,z)  from  1  and  def.  of  FI 

3  =  hl(Fl(x,w),F3(x,w,z)) 

from  1  and  def.  of  FI  and  F3 

Induction  step:  We  have  to  prove 

[-p(x)  &  Fl(f (x) ,hl(w, z) )  =  hl(Fl(f(x),F3(f(x),w,z) ) ] 

->  [F(x,hl(w, z) )=  hl(Fl(x, F3(x,w,z) ) ) j 

This  we  do  as  follows: 

1  -p(x)  &  Fl(f (x) ,hl(w,z) )  =  hi ( FI (x, w) , F3 (x, w, z ) ) 

assumption 

2  Fl(x,hl(w,z) )  =  Fl(f (x) , g(x,hl(w, z ) ) ) 

from  1  and  def.  of  FI 

3  =  FI ( f ( x ) , hi ( g ( x , w ) , h2 ( x , w , z ) ) ) 


from  (8) 

4  =  hl(Fl(f(x),g(x,w)),F3(f(x),g(x,w),h2(x,wz))) 

from  1  (instantiate  w  as  g(x,w)  and  z  as  (f2(x,w,z)) 

5  =  hl(Fl(x,w) ,F3(x,w,z) ) 

from  def.  of  FI  and  F3 

PROOF  OF  THEOREM  2 

1  Fl(x,hl(c, z) )  =  hl(Fl(x,c),F3(x,c,z)) 

from  LEMMA  1  (instantiate  w  as  c) 

2  Fl(x/hl(c/z) )  =  hl(F2 ( x) , F3 (x, c , z ) ) 

from  1  and  assumption  Fl(x, c)=F2(x) 

The  condition 

g(u,hl(v, w) )  =  hl(g(u,v),h2(u,v,w)) 

does  not  guarantee  that  the  original  expression  is  an  instance 
of  the  original  theorem.  In  general,  it  is  difficult  to  state 
how  to  derive  hi  and  h2  so  that  the  original  theorem  is  an 
instance  of  the  more  general  expression  (10).  Nevertheless,  we 
can  say  what  a  sufficcient  condition  is. 

THEOREM  3 :  Under  the  definitions  and  conditions  of  the  THEOREM 
2,  a  sufficient  condition  that  Fl(x,c)  =  F2(x)  is  an  instance  of 
Fl(x,hl(c,z)  =  hl(F2 (x) , F3 (x, c, z) )  is  that  for  all  u  and  v, 
there  exists  a  z  such  that 


(hi (u, z )  =  u  &  h2(u,v,z)  =  z) 


PROOF  : 


Let  zO  be  the  value  of  z  satisfying  (11).  Then 

Fl(x,hl(c, zO) )  =  Fl(x,c) 
hl(F2(x),F3(x,c,zO) )  =  hi (F2 (x) , zO)  =  F2(x) 

Thus,  for  z=z0,  Fl(x,hl(c, z) )=hl(F2(x) , F3(x, c, z) )  can  be 
simplified  to  FI (x, c )=F2 (x) . 

Although  (11)  is  not  a  necessary  condition,  experience 
indicates  that  it  is  a  natural  and  easily  satisfied  requirement. 

Using  a  new  variable  z  gives  us  the  opportunity  to 
instantiate  the  accumulator  and  therefore  increase  the 
likelihood  that  we  will  be  able  to  match  the  accumulators  in  the 
hypothesis  and  in  the  conclusion.  Formally,  to  guarantee  that 
(10)  is  a  useful  generalization,  we  must  have 

-•p(x)  &  IN(x)  ->  IN(n(x) ) 
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Let  R  denote  the  range  of  a  function  and  D  its  domain  then  this 
condition  can  be  written  as 

[-p(y)&(y  in  D)&(z  in  D)&(y'in  R(hl(c,z))]  -> 

I (g(y,y' )  in  R(hl(c,z) ) ] 

It  cannot,  of  course,  be  guaranteed  that  an  hi  satisfying  (5) 
will  also  satisfy  the  above  condition,  but  the  chance  that  this 
will  happens  is  always  there.  In  those  cases  when  hl(c,z)  =  z, 
(5)  is  always  satisfied,  namely: 

l-P(y)&(y  in  D)&(z  in  D)&(y'in  D) }  ->  [g(y,y')  in  D] 

This  suggests  a  possible  way  of  finding  function  hi: 
depending  upon  the  domain,  we  know  which  are  identity  constants 
for  certain  functions  (0  is  an  identity  for  +,  1  for  *,  etc),  so 
depending  upon  the  constants  certain  functions  suggest 
themselves  as  candidates  for  hi.  The  question  naturally  arises 
how  to  find  functions  hi  and  h2  more  systematically.  The 
functions  hi  and  h 2  depend  on  g  and  very  often  the  function  g 
itself,  its  some  modification  or  its  constituent  functions  are 
suitable  candidates  for  hi  and  h 2.  for  example  if  g  is  such  that 

g(u,g(v,w))  =  g(g(u, v) ,w) 
g(c, z)  =  z 

Then  hi  is  g  itself  and  h2(u,v,w)  =  w.  Or,  if 

g(u,g(v,w))  =  g(v,g(u,w) ) 
g(c, z )  =  z 

then  hl(u,v)  <=  g(v,u)  and  h2(u,v,w)  =  w. 

At  present,  we  do  not  know  how  to  find  hi  and  h 2  more 
systematically,  (if  they  exist  at  all),  but  practical  experience 
has  convinced  us  that  very  often  there  are  natural  candidates 
for  such  functions.  We  hope  that  forthcoming  examples  will  be 
convincing  enough. 

Summary 

To  generalize  the  accumulator  in  theorems  of  the  type 

Fl(x,c)  =  F2(x) 
where  FI  is  defined  by  iteration  schema 

Fl(y,y' )  <=  IF  p(y)  THEN  y'  ELSE  Fl(f (y) ,g(y, y' ) ) , 
first  we  have  to  find  functions  hi  and  h2  having  the  properties 
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g(u,hl(v, w) )  =  hl(g(u,v) ,h2(u,v,w) ) 

For  some  z:  (hl(u,z)  =  u  &  h2(u,v,z)  =  z) 

Then  the  generalization  is 

Fl(x,hl(cl,z))  =  hl(F2(x),F3(x,cl/z)) 

where  F3  is  defined  by 

F3(y,y* ,y* ' )  <=  IF  p(y)  THEN  y' ' 

ELSE  F3(f(y)<g(y/y' ),h2(y/y,/y' • )) 


Remark 

Although  we  have  only  considered  theorems  of  the  type 

FI (x, cl )  =  F2 (x) , 

all  the  results  and  methods  can  also  be  used  for  more 
complicated  cases,  e.g. 

Fl(m(x) , k(x) )  =  F2(x) 


Example  1:  Let  FI  be  defined  by 


Then 


Fl(yl,y2)  <=  IF  (yl  =  0)  THEN  y2 

ELSE  FI ( yl-1 , yl*y2 ) 


g(yl,y2)  <=  yl*y2 

and  we  can  choose 

hl(yl,y2)  <=  yl*y2  h2(yl,y2,y3)  <=  y3 . 

Now  (8)  is  satisfied  because 

g(u,hl(v,w))  =  u*(v*w)  =(u*v)*w  =  hl(g(u,v) /h2(u,v,w) ) 
and  condition  (11)  is  satisfied  for  z=l.  The  generalization  of 

Fl(x, 1 )  =  x! 

is  then 

Fl(x,hl(l,z) )  =  hl(x! #F3(x,l,z)) 

where 
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F3(yl/y2,y3)  <=  IF  (yl=0)  THEN  y3  ELSE  F3 (yl-1, yl*y2 , y3 ) 

Since  h2  is  the  identity  function,  F3(yl,y2,y3)  <=  y3 . 
Therefore,  substituting  for  hi,  the  generalization  becomes 

Fl(x,z)  =  x!  *  z 

Example  2:  Let  Fl(yl,y2,y3)  be  defined  by 

Fl(yl,y2,y3)  <=  IF  (yl  =  0)  THEN  y3 

ELSE  Fl(yl  div  2,  y2*y2, 

IF  odd(yl)  THEN  y2*y3  ELSE  y3) 

Then  we  have 

f (yl,y2)<=  <yl  div  2,  y2*y2> 
g(yl,y2,y3)  <=  IF  odd(yl)  THEN  y2*y3  ELSE  y3 

So  we  can  choose  hi  and  h2  as 

hl(yl,y2)  <=  yl*y2  h2 (yl , y2 , y3 , y4)  <=  y4 

Now  we  have 

g(yl,y2,hl(y3,y4) )  =  IF  odd(yl)  THEN  y2*(y3*y4) 

ELSE  y3*y4 

=  (  IF  odd(yl)  THEN  y2  *y3  ELSE  y3)  *  y4 
=  hi  ( g  ( yl ,  y2 ,  y3 ) ,  h2  ( yl ,  y2 ,  y3 ,  y4 ) ) 

Therefore 

Fl(x2,xl,  1)  *=  xl**x2 

generalizes  to 

Fl(x2,xl,z)  =  z* (xl**x2 ) . 

Example  3 ;  Let  FI  be  defined  as  follows: 

FI  ( i  ,  y2 )  <=  IF  yl  =  NIL  THEN  y2 

ELSE  Fl(cdr(yl) ,  car(yl)  +  2*y2) 

Thus  g  is: 

g(yl*y2)  =  car(yl)  +2*y2 

so  that 


g(u,hl(v,w))  =  car (u)  +  2*hl(v,w). 


On  the  other  hand,  we  have 
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hl(g(u,v) ,h2(u, v,w) )  *  hl(car(u)  +  2*v,h2(u, v, w) ) 

So  if  we  choose  hl(yl,y2)  =  yl  +  y2  and  h2(u,y2,y3)  =  2*y3,  then 
we  will  have 

g(u,hl(v,w))  -  car(u)  +  2*(v  +  w)  =  car(u)  +  2*v  +2*w  = 

=  hl(g(u,v),h2(u,v,w)) 

F3  is  then  defined  by 

F3(yl,y2,y3)  <=  IF  yl  =  NIL  THEN  y3 

ELSE  F3 ( cdr ( yl ) , car ( yl ) +2*y2 , 2*y3 ) 


or,  more  simply  by 

F3(yl,y2)  <=  IF  yl  =  NIL  THEN  y2 

ELSE  F3(cdr(yl) ,2*y2) 

Thus  if  the  theorem  to  be  proved  is 

Fl(x, 0)  =  INTEGER(X) 

where  INTEGER  is  some  standard  function  translating  a  list  of 
0's  and  l's  into  an  integer,  then  this  theorem  can  be 
generalized  into 

Fl(x, w)  =  INTEGER(X)  +  F3(x,z) 


3.2  Generalization  Scheme  II 


Suppose  we  have  to  prove 

Fl(x,c,c' )  =  F2(x) 


(12) 


where 


Fl(yl,y2,y3)  <=  IF  (yl=y2)  THEN  y3 

ELSE  Fl(yl,f(y2),g(y2,y3)). 

To  prove  this  theorem,  we  have  to  carry  out  induction  on 
y2.  But  this  is  impossible  because  the  initial  value  of  y  is 
constant.  Therefore  we  must  generalize  (12)  by  replacing  c  with 
a  more  general  term.  In  previous  heuristics,  we  replaced  a 
constant  with  a  function  h(z)  and  then  tried  to  find  what  is  the 
influence  of  this  change  of  initial  value  on  the  final  result. 
It  was  easy  to  see  how  the  change  of  initial  value  of  an 
accumulator  propagates  through  the  whole  computation,  because  of 
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the  limited  role  played  by  an  accumulator  in  the  function 
execution.  It  is  harder  to  apply  the  same  strategy  to  the 
recursion  variable.  The  initial  value  of  the  accumulator 
determines  the  depth  of  recursion  and  at  each  level  of 
recursion,  the  value  of  a  recursion  variable  contributes  to  the 
final  result  of  the  computation.  Consequently,  the  change  in  the 
initial  value  of  the  induction  variable  has  a  much  more 
complicated  influence  on  the  final  result  of  the  computation.  So 
the  choice  of  the  function  h  must  be  more  careful,  and  is  in 
fact  limited.  A  good  strategy  would  be  to  replace  c  with  an 
expression  describing  all  possible  values  that  the  recursion 
variable  can  take  on  during  the  computation  of  Fl(x,c,c"). 
Suppose  we  can  derive  the  values  of  the  recursion  variable  and 
the  accumulator  at  the  recursion  depth  z  ,  say  h(z)  and  G(z), 
respectively.  Now  if  (12)  holds,  then 

Fl(x,h(z) ,G(z) )  *  F2(x) 
would  be  a  good  generalization. 

The  theorem  in  (12)  could  be  proven  by  induction  on  z 
(which  is,  in  fact,  induction  on  the  depth  of  recursion) .  So  the 
question  is  how  to  find  h(z)  and  G(z).  Observe  that 

Fl(x,c,c' )  =  Fl(x,f(c),g(c,c' ))  if  c*x 
2 

==  Fl(x,f  (c),g(f(c),g(c,c')))  if  f(c)*x 


i  (i-1)  (i-2) 

*  Fl(x,f  (c) , g(f  (c),g(f  (c), . . . ,g(c,c' ))))  (13) 

j 

if  ismaxi  =  min{j  |  f  (c)=x$ 

(i-1)  (i-2) 

Thus  G(i)  =  g(f  (c),g(f  (c) . g(c,c'))) 

On  the  other  hand  if  iSmaxi,  then 
i  i 

F2(f  (x))  =  Fl( f  (x) , c , c '  ) 

1 

-  Fl(f  (c) , f (c) , g(c, c’ ) ) 
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i  2 

=  Fl(f  (c),f  (c)/g(f(c),g(c<c' ))) 


(14) 


i  i  (i-1)  (i-2) 

=  Fl(f  (c),f  (c) ,g(f  (c),g(f  (c ),..., g(c , c '))) ) 

(i-1)  (i-2) 

=  g(f  (c),g(f  (c), . . . ,  g( c , c ' ))) 

=  G(i) 

i 

Thus  G(i)  can  be  replaced  by  F2(f  (c)) 

THEOREM  4 :  Let  FI  be  defined  by  (12),  and  F2  be  some  previously 
defined  function,  then 

0£z£maxi )  ->  Fl(x,h(z) ,F2(h(z) ) )  =  F2(x)  (15) 


holds  iff 


Fl(x, c, c 1 )  =  F2(x) 


holds,  where 


maxi  =  min{j  |  f  (c)  =  x} 
h(z)  <=  IF  z  =  0  THEN  c  ELSE  f(h(z-l)) 


PROOF 


<-  )  by  above  motivation. 

->  )  On  substituting  z  =  0,  (12)  is  obtained  from  (15). 

The  expression  (15)  is  a  suitable  generalization  of  (12)  if 
the  predicate  IN(yl,y2,y3)  describing  the  possible  initial 
values  of  variables  yl,  y2  .and  y3  satisfies  the  condition 

-p(x)  &  IN(x)  ->  IN(n(x) ) . 

IN  can  be  defined  by 

IN(yl,y2,y3)  <=  (OSzSraaxi)  ->  (y2  =  h(z)  &  y3  =  F2(y2)) 

&  (x  and  z  are  natural  numbers)) 

Intuitively,  IN  satisfies  the  condition  (5)  because  it  describes 
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all  possible  values  of  variables  during  the  execution  of 
Fl(x,c,c’).  Formally, 

IN(yl,y2,y3)  &  (yl  *  y2)  ->  IN(yl,fl(yl) ,g(yl,y2) ) 

If  we  assume  that  (12)  holds,  then  the  above  is  really  the  case 
which  can  be  proved  by  substituting  the  definition  of  IN  and 
using  properties  of  ->  . 

Remark  : 

In  the  above  discussion,  we  used  the  simplest  case  of 
theorem  (12).  In  fact,  the  initial  value  of  y2  does  not  have  to 
be  constant.  It  can  also  be  a  function  of  x,  say  M(x).  But  to  be 
able  to  derive  the  value  of  the  accumulator  at  the  recursion 
depth  z,  it  is  useful  when  it  is  the  case  that 

M(h(z,x))  =  M(x)  for  all  OSzSmaxi 

where  h  is  defined  by 

h(yl,y2)  <=  IF  (y2=0)  THEN  M(yl)  ELSE  f (h(yl,y2-l) ) . 

For  example,  an  M(x,z)  which  has  this  property  is 

M(yl)  <=  IF  p(yl)  THEN  yl  ELSE  M(If(yl)), 

where  If  is  inverse  of  f,  i.e.  f(If(yl))  =  yl.  Now  we  can  write 

2  maxi  maxi 

M(x)  =  M( If (x) )  =  M( If  (x)  =...=  M( If  (x))  =  If  (x) 

z  maxi  (maxi-z) 

h(x,z)  =  f  (If  (x))  =  If  (x),  for  all  0£z£  maxi 

(maxi-z)  (maxi) 

and  M(h(x, z) )  =  M(Ifl  (x))  =  Ifl  (x)  =  M(x,z) 

We  can  therefore  generalize  F(x,M(x),c')  =  F2(x)  into 
OSzSmaxi  ->  Fl(x,h(x,z) ,F2(h(x,z) )  =  F2(x) 
and,  using  the  relation  between  f  and  If,  this  can  be  rewritten 
(OS  zs  maxi')  ->  Fl(x,h' (x, z) , F2(h' (x,z) )  =  F2(x), 


where 


h'(x,z)  <=  IF  z  =  0  THEN  x  ELSE  Ifl(h'(x)) 
maxi'  =  min{i  |  p(h'(x,i))j. 
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Example  4 


Fl(yl,y2,y3)  <=  IF  (yl  =  y2)  THEN  y3 

ELSE  Fl(yl,y2+1, (y2+l)*y3) 

We  define  h  as  follows 


h(z)  <=  IF  z  =  0  THEN  0  ELSE  h(z-l)  +  1 

or  in  other  words,  h(z)  <=  z.  So  we  can  generalize  Fl(x,0,l)  = 

x!  into 

(0 £z£x)  ->  Fl(x,z,z!)  =  x! 
because  maxi  =  minji  |  (i  =  x)  }  =  x . 

Example  5:  Let  div  denote  integer  division  and  mod  denote  the 
remainder  after  the  integer  devision. 

M(yl,y2)  <=  IF  yl  <  y2  THEN  y2  ELSE  M(yl,2*y2) 

Fl(yl,y2,y3, y4)  <=  IF  (yl  =  y2  THEN  <y3,y4> 

ELSE  IF(y3  2  y2  div  2) 

THEN  Fl(yl,y2div2,y3-y2div2,2*y4+l) 

ELSE  Fl(yl,y2div2,y3,2*y4) 

Since  (2*y2)  div  2  *  y2,  we  can  apply  the  above  method, 
generalizing 


Fl(x2,M(xl,x2) ,xl,0)  =  <xl  mod  x2,  xl  div  x2> 


into 


(OSzSmaxi)  -> 

Fl(x2,h(x2, z) ,xlmodh(x2, z) , xldivh(x2, z) )  =  <xlmodx2,xldivx2> 
where  h(yl,y2)  <=  IF  y2  =  0  THEN  yl  ELSE  2*h(yl,y2-l) . 


In  a  more  standard  notation,  h(yl,y2)  =2  *  yl. 


and  maxi  is  then  min{i  |  2  *x2  >  xl} 
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4.  REDEFINITIONS 

The  reason  why  some  theorems  are  not  strong  enough  to  carry 
themselves  through  induction  is  that  the  input  specification  is 
not  general  enough;  that  is  the  condition 

-p(x)  &  IN(x)  ->  IN(n(x) ) 

is  not  satisfied.  Theorem  generalization  removes  this  limitation 
by  modifying  IN.  Another  possible  strategy  is  to  try  to  redefine 
the  function.  We  now  describe  how  redefinition  can  be  performed 
for  two  classes  of  programs. 

Consider  the  example  F(x,l)  =  x!  , where  F  is  defined  by 

FI ( yl , y2 )  <=  IF  yl=0  THEN  y2  ELSE  FI (yl-1, yl*y2 ) ) 

The  function  F  has  two  arguments,  but  we  are  interested  in  the 
behavior  of  F  with  one  argument  (y2)  very  specialized  in  its 
use:  its  initial  value  is  constant.  For  all  purposes,  F  has 

degenerated  into  a  one-variable  function.  So  if  we  can  translate 
F(xl,l)  into  a  true  one-argument  function,  it  would  become 
easier  to  manage. 

Let  F(xl, 1)  =  F'(xl)  where 

F' (yl)  <=  IF  yl=0  THEN  1  ELSE  yl*F’(yl-l) 

and  let  the  theorem  to  prove  be 

F’(xl)  =  xl! 

Now  if  F' (x)  =  x! ,  then  we  have 

F' (xl+1) 
a  (xl+1 ) *F' (xl) 

=  (xl+1 ) *xl ! 
a  (xl+1)! 


4.1  Redefinition  Scheme  I 


THEOREM  5:  Let  FI  be  defined  by  iteration. 

Fl(y,y')  <=  IF  p(y)  THEN  y’  ELSE  F( f (y ) , g(y, y ' ) ) 

Suppose  we  can  find  the  functions  hi  and  h2  with  the  properties 
g(z,c)  =  hl(c,z)  (16) 


from  the  def.  of  F' 
from  the  hypothesis 
property  of  ! 
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and 


g(u,hl(v,w)  =  hl(g(u/ v) ,h2(w) ) 

Then  we  can  define  functions  F  and  F3  by 

F(y)  <=  IF  p(y)  THEN  c 

ELSE  hi (F(f (y) ) ,  F3(f(y),y)) 
F3(y,y')  <=  IF  p(y)  THEN  y' 

ELSE  F3(f(y),h2(y' )) 


such  that 


Fl(x,c)  =  F(x) 


PROOF ;  By  case  induction. 

Basis;  Assume  p(x)  is  true,  then  from  the  definitions  of  F  and 
F3  it  follows  that 


F(x)  =  c  =  Fl(x, c) . 

Induction  step: 

Assume  ->p(x)  and  F(f(x))  =  Fl(f(x),c)  then 

F(x)  =  hl(F(f (x) ) ,F3(f (x) ,x)  from  def.  of  F 

=  hl(Fl(f (x) , c) , F3(f (x) , c) )  from  assumption 

Fl(x, c)  =  FI ( f (x) , g(x, c ) )  from  def.  of  FI 

-  Fl(f(x),hl(c,x))  from  property  (16) 

Thus  we  have  to  prove 

Fl(f(x),hl(c,x))  =  hi (FI ( f (x) ,c),F3(f(x),c)). 

But  this  is  just  an  instance  of  LEMMA  1  with  x  instantiated 
as  f(x),  w  as  c,  and  z  as  x. 


Example  6 

Fl(yl,y2)  <=  IF  yl  =  NIL  THEN  y2 

ELSE  F(cdr(yl) , APPEND (y2, car (yl) ) ) ) 
APPEND (yl,y2)<= IF  atom(yl)  THEN  y2 

ELSE  cons ( car (yl) , APPEND(cdr(yl) ,y2) ) ) 


and  we  have  to  redefine 


Fl(x,NIL) 


We  proceed  by  defining 
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g(yl,y2)  <=  APPEND ( y2 , car (yl) ) 

We  can  choose  hi  and  h2  as 

hi ( yl , y2 )  <=  APPEND(y2,yl)  and  h2(yl,y2,y3)  <=  y3 

because 

g(u,hl(v,w) )  =  APPEND ( APPEND (w, v) , car (u) ) 

=  APPEND (w, APPEND (v, car(u) ) )  =  hl(g(u, v) ,h2(u, v, w) ) . 

Also 

g(x,nil)  =  APPEND(x,NIL)  =  hl(NIL,x) 

Thus  FI (x, NIL)  can  be  redefined  as 

F(y)  <=  IF  y  =  NIL  THEN  NIL  ELSE  APPEND ( car ( y ) , F ( cdr ( y ) ) ) 

4.2  Redefinition  Scheme  II 


THEOREM  6:  Let  FI  be  defined  by 

Fl(y,y' )  <=  IF  p(y)  THEN  G(y,y')  ELSE  Fl(f(y),y') 

where 


G(y,y' )  <=  IF  q(y)  THEN  y'  ELSE  G( If (y) , g(y, y' ) ) . 
Provided  that  we  have 

If (f(x))  =  x  (17) 

j 

max{j  |  q(f  (x))}  =  0  (18) 

we  can  transform  Fl(x,c)  into  F(x),  where 

F(y)  <=  IF  p(y)  THEN  c  ELSE  g( f (y ) , F( f (y) ) ) . 

PROOF 


j 

Let  maxi  =  min{j  |  p(f  (x))}. 


From  the  definition  it  follows  that 


2  maxi 

Fl(x,c)  =  Fl(£(x) ,c)  =  Fl{ f  ( x) , c )  -  ...=  Fl(f  (x),c) 


maxi 

=  G(f  ( x ) , c ) 

Because  of  (18)  it  also  follows  that 

maxi  maxi  maxi 

G(f  ( x ) ,  c )  =  G(  If(f  (x)),g(f  ( x ) , c ) ) 

(maxi-1)  maxi 
=  G(f  (x) , g( f  ( x ) , c ) ) 


2  maxi 

=  G(x,g(f (x),g(f  (x),...,g(f  (x),c)))) 

2  maxi 

=  g(f (x),g(f  (x) . g(f  (x),c))) 

Now  we  can  evaluate  F(x)  as  follows: 

2 

F(x)  =  g(f (x) , F(f  (x)))  =  g(f (x) , g(f  (x),F(f  (x)))) 

2  maxi  maxi 

=  ...=  g(f(x),g(f  (x) . g(f  (x),F(f  (x) ) ) ) ) 

2  maxi 

=  g(f (x) ,g(f  (x),  • • • / g(f  (x),c))) 

Hence  we  conclude  that  Fl(x,c)  =  F(x). 

Suppose  that  instead  of  knowing  the  complete  definition  of 
FI  we  have  only  a  definition  of  G.  We  can  rewrite  G  provided  we 
can  find  suitable  f  and  p.  The  function  f  must  satisfy  the 
properties  (17)  and  (18),  and,  moreover,  p  must  also  satisfy  the 
condition 

j  3 

min{ j  |  p(f  (x)}  =  min} j  |  q(If  (x))}  (19) 

In  some  cases  it  is  possible  to  find  such  p  and  f  quite  easily. 
For  example  let  G  be  defined  as 


G(yl,y2,y3)  <=  if  yl  =  y2  THEN  y3  ELSE  G(yl, If (y2) ,g(y2,y3) ) 
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and  let  us  try  to  redefine  G(x/c,cw).  Suppose  we  can  find  f  such 
that 


If(f(x))  =  f(If(x) )  =  x 

then 


p(y)  <=  (Y  =  c). 

We  can  prove  by  contradiction  that  p(y)  satisfies  (19). 

j 

Let  k  =  min{j  |  If  (c))  =  x} 

m 


Suppose  there  is 

If(c) 

2 

If  (c) 


a  m  <  k  such  that  c  =  f  ( x ) , 

(m-1) 

=  f  (x) 

(m-2) 

=  f  (x) 


then 


m 

If  (c)  =  x 

which  is  contrary  to  our  assumption. 


Example  7 

Fl(y0,yl,y2,y3)  <=  IF  yO  <  y2  THEN  G(yO,  yl,  y2 ,  y3 ) 

ELSE  FI ( yO , yl , 2  *y2 , y3 ) 

G(y0,yl,y2,y3)  <=  IF  yl  =  y2  THEN  y3 

ELSE  IF  (y3fey2div2) 

THEN  G(yO, yl , y2div2 , y3-y2div2 ) 
ELSE  G(y0,yl,y2div2,y3) . 

We  will  redefine  Fl(xl,x2,x2,xl) .  Since 

y  =  <y0,yl,y2>, 
f ( y )  =  <yO/yl,2*y2), 

If(y)  =  <yO,yl, y2div2>. 


the  conditions  (17)  and  (18)  are  satisfied: 
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If ( f (y) )  =  If(<y0,yl,y2*2>  *  <yO,yl, (y2*2)div2>  =  y 

j 

max(j  |  x2  =  2  *x2 j  =  0 

The  function  F  is  then 

F(y0<yl/y2)  <=  IF  yO  <  y2  THEN  xl 

ELSE  IF  (F(y0,yl,2*y2)*(2*y2)div2) 

THEN  F(y0<yl,2*y2)-(2*y2)div2 
ELSE  F(yO, yl,2*y2) . 

We  can  simplify  this  definition  to 

F(yl/y2)  <=  IF  yl  <  y2  THEN  yO 

ELSE  IF  (F(yl,2*y2)*y2  ) 

THEN  F(yl,2*y2)  -  y 2 
ELSE  F( yl , 2*y2 ) . 

Example  8 

Fl(yl,y2,y3)  <=  IF  yl=y2  THEN  y3  ELSE  FI ( yl, y2  +  l, ( y2+l ) *y3 ) 

We  would  like  to  redefine  Fl(x,0,l).  Since  If(y2)  <=  y2  +  l,  we 
can  define  f(y2)  <-  y2- 1.  Now  we  have 

If(f(y2))  =  If (y2+l )  =  ( y2+l ) -1  =  y2  =  (y2-l)+l  =  f(If(y2)) 

Therefore  p(y2),  which  satisfies  the  requirement  (19),  is 

P(y2)  <=  (y2  =  0) 

and  the  new  definition  of  FI (x, 0,1)  is 

F(yl)  <=  IF  yl  =  0  THEN  1  ELSE  ( (y-l)+l)*F(y-l) . 

Or,  after  some  simplifications,  we  can  define 

F(yl)  <=  IF  yl  =  0  THEN  1  ELSE  y*F(yl-l). 


5.  CONCLUSION 

We  have  developed  some  methods  for  generalizing  theorems 
about  recursively  defined  functions,  so  that  the  generalized 
form  of  these  theorems  is  more  suitable  for  proof  by  induction. 
We  have  given  some  heuristics  to  carry  out  the  generalization 
for  certain  patterns  of  theorems  and  recursive  definitions. 
Invariant  assertions  are  sometimes  obtained  as  a  by-product  in 
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this  generalization. 

Our  generalization  are  heuristics  are  based  on  an  analysis 
of  defined  functions.  Whenever  these  heuristics  are  applicable, 
the  generalized  theorems  are  true  iff  the  original  theorems  are. 
This  is  not  the  case  with  the  heuristics  in  Boyer  and  Moore  [2]. 
In  their  heuristics  (replacing  the  terms  common  to  both  sides  of 
equality  or  implication),  the  above  relation  is  missing. 
Furthermore,  our  heuristics  are  based  on  an  analysis  of 
definitional  schemas.  Given  a  function,  we  find  a  matching 
schema  and  obtain  information  about  the  function  that  will 
enable  us  to  generalize.  Aubin  [1],  on  the  other  hand,  analyses 
functions  ad  hoc  to  replace  a  constant  with  an  expression 
describing  all  the  possible  values  this  argument  could  acquire. 
Our  choice  of  expressions  to  replace  constants,  however,  takes 
into  account  the  influence  this  change  of  the  initial  value  will 
have  on  the  final  result  of  the  computation. 

We  believe  it  is'  possible  to  apply  our  generalization 
method  to  other  types  of  definitional  schemas  and  develop  a 
catalog  of  heuristics  for  different  classes  of  programs.  This 
seems  more  useful  than  generalizing  the  same  heuristics  for  very 
large  class  of  programs,  since  that  would  complicate  the  test  of 
the  heuristic's  applicability. 

In  the  literature,  the  work  on  redefinition  of  functions 
has  been  done  for  other  purposes:  e.g.  when  defining  functions 
by  recursion,  one  may  try  to  find  a  more  compact  definition  of 
composition  of  such  functions  (Chatelin  [3]).  We  have  given 
methods  to  redefine  functions  in  order,  again,  to  simplify  the 
proof  of  certain  theorems  describing  the  properties  of 
recursively  defined  functions.  With  these  redefined  functions, 
theorems  become  much  easier  to  prove  than  with  the  original 
definitions. 


31 


REFERENCES 

1.  Aubin,  R.  1975:  "Some  Generalization  Heuristics  in  Proofs  by 

Induction. " ,  Collogues  IRIA  Proving  and  Improving 

Programs,  Arc  et  Senans,  pp. 197-208  (July) 

2.  Boyer,  R.S.  and  Moore, J.S.  1975:  "Proving  Theorems  About 

LISP  Functions",  Journal  of  A.C.M.  22,  1,  pp. 129-174 
(January) 

3.  Chatelin,P.  1977:  "Self-redef initions  as  a  Program 

Manipulation  Strategy",  SIGPLAN  Notices  12,8,  pp. 174-179 
(August) 

4.  Greif,I.  and  Waldinger,  R.J.  1974:  "A  More  Heuristic 

Approach  to  Program  Verification",  Proc.  Inti.  Symp.  on 
Programming,  Paris,  France,  pp. 83-90 

5.  Manna, 2.  1974:  "Mathematical  Theory  of  Computation"  McGraw- 

Hill  Book  Co., New  York,  NY. 

6.  Manna, Z.  and  Pnuelli,A.  (1970)  :  "Towards  a  Mathematical 

Theory  of  Computation" , Journal  of  ACM  17,  3,  pp. 555-569 

(July) 

7.  McCarthy, J. 1962:  "  Towards  a  Mathematical  Science  of 

Computation" ,  Information  Processing,  Proceedings  of  IFIP 
Congress  1962,  (ed.,  C.M.  Popplewell),  North  Holland 

Publishing  Company,  Amsterdam,  pp. 21-28 

8.  Misra,J.  1975:  "Relations  Uniformly  Conserved  by  a  Loop", 

Collogues  IRIA  Proving  and  Improving  Programs,  Arc  et 
Senans,  pp. 71-79,  (July) 

9.  Moore, J.S.  1974:  "Introducing  Iteration  into  the  Pure  LISP 

Theorem  Prover",  CSL-74-3,  Xerox  Palo  Alto  Research 
Center,  Palo  Alto,Ca. 

10.  Morris, H.J  .  and  Wegbreit,B.  1977:  "Subgoal  Induction", 

Communications  of  ACM  20,4,  pp. 208-222  (April)  Programs", 
Ph.D.  Thesis,  University  of  Edinburgh,  Edinburgh 

11.  Wegbreit,B.  1974:  "  The  Synthetis  of  Loop  Predicates",  Comm. 

of  the  ACM  17,  2,  pp. 102-112,  (February) 


Unclassified 


security  classification  or  this  page  (Winn  ow  hm«o 


|  REPORT  DOCUMENTATION  PAGE 

READ  INSTRUCTIONS 

BEFORE  COMPLETING  FORM 

HRMIHHHiHr/uSrMSK 

1.  RECIPIENT'S  CATALOG  NUMBER 

W9 

4.  TITLE  (md  Submit) 

THEOREM  GENERALIZATION 

IN  PROGRAM  VERIFICATION 

S.  TYPE  OF  REPORT  A  PERIOD  COVERED 

Technical  Report 

S.  PERFORMING  ORG.  REPORT  NUMBER 

7.  AUTHOR!*; 

Jan  Vytopil 

S.  Kamal  Abdali 

I.  dONTRACT1  O*  GRANT  NUMBER!*; 

ONR  N00014-75-C-1026 

>.  PENPONMINO  ORGANIZATION  NAME  ANO  ADDRESS 

Mathematical  Sciences  Department 
Rensselaer  Polytechnic  Institute 

Trov,  N.  Y.  12181 

to.  PROGRAM  ELEMENT.  PROJECT,  TASK  “* 
AREA  A  WORK  UNIT  NUMBERS 

11.  CONTROLLING  OFFICE  NAME  ANO  ADDRESS 

Office  of  Naval  Research  Resident 
Representative 

715  Broadway-5 th  Floor,  N.Y.,  N.Y.  10003 

12.  REPORT  DATE 

June  1981 

IS.  NUMBER  OF  PAGES 

31 

14.  MONITORING  AGENCY  NAME  A  AOORESSfll  dlfterant  from  Controlling  Ollleo) 

IS.  SECURITY  CLASS,  (of  this  nport) 

Unclassified 

Bl  TT-I  WM1  1 1 1 J  f-T\  <  1  -  rrf •'^TjTT'T.TX-TTTriMB 

ii!  distribution  statement  (oi Mo JUperij 


DISTRIBUTION  STATEMENT  A 

Approved  for  public  release} 
Distribution  Unlimited 


no 

W  1  JAN  T» 


1473  edition  OP  I  NOV  M  I*  obsolete 

S/M  01 02- LF -01 44401 


Unclassified 

BSCUMTV  CLASSIFICATION  OP  THIS  PAOt  7S3J Sm 


I 


Unclassi 


SECURITY  CLASSIFICATION  OF  THIS  PAGE  fWh«B  Dm*  EkIftmQ 


The  generalization  of  theorems  about  programs  obtained 
from  recursive  schemas  is  discussed.  Methods  are  given  to 
generalize  theorems  about  two  classes  of  programs  to  make 
the  theorems  easier  to  prove  by  induction.  Invariant 
assertions  are  obtained  as  a  by-product  of  the  generalization 
process.  Also,  methods  are  given  to  redefine  the  functions 
representing  programs  so  as  to  simplify  the  proof  of  programs 
properties  in  certain  cases . 


Unclassified 


tlCUNITY  CLASSIFICATION  OF“TMIS  PAGIfPtWA  Oati  K»t*n4) 


